Cyber security is a field rife with challenges, a dynamic landscape where IT teams continuously strive to outpace malicious adversaries. However, new strategies and innovations are continually emerging to safeguard users, applications, infrastructure, and digital assets of organisations, regardless of their location.
In our recent blog, we explored the idea of security tool consolidation as a path to simplifying environments that seem to be increasing exponentially in complexity. Now, we’re narrowing our focus to a particularly challenging area for security teams – breach detection and response. The ability to detect a breach quickly and respond in time to stop or reduce the impact of an attack is critical. An IBM report in 2022 calculated the average time to detect and contain a cyber attack is 287 days. There are other stats and averages quoted through various surveys, but the reality is that too many breaches go undetected – or are detected too late for any kind of proactive defence.
The complexity and evasion tactics of cyber attackers are at the heart of missed breaches. Attack methodologies continually evolve in sophistication, designed to bypass traditional defences unnoticed, like ghosts in the night. Monitoring tools help, but despite advancements, alert management remains a delicate balancing act to minimise false positives (and negatives). Environmental complexity also impacts this, with forty-three percent of respondents of an RSA conference survey saying their number one challenge in threat detection and remediation is an overabundance of tools so alerts just aren’t seen.
If that’s not enough to worry about, then the number of possible attack vectors, each with streams of data that need to be correlated to gain a picture of what is actually happening, takes the challenge to a whole new level.
Another factor in the difficulty of detecting breaches is the way the breach is executed. In our experience, compromised user credentials remain a significant cause of undetected cyber security breaches, often stemming from human error, misuse of privileges, social engineering attacks, and, crucially, stolen credentials. The Notifiable Data Breaches Report from July to December 2023, published by the Office of the Australian Information Commissioner (OAIC), records that a significant proportion of data breaches resulted from cyber security incidents where compromised or stolen credentials were involved. Further substantiation comes from the 2024 Verizon Data Breach Investigations Report (DBIR), which continues to spotlight credential compromise as a dominant threat in the cyber security landscape.
In these scenarios, once an attacker gains access, they are careful to avoid behaviour that would trigger an abnormal activity alert until they’re ready to quickly exfiltrate data and get out before any response can stop them. Defending against this requires a high level of cyber security maturity and resources such as a Security Operations Centre (SOC) to configure and operate the right tools.
A glaring skills shortage makes this level of maturity difficult to achieve. Without experienced cyber security experts, gaps in the configuration of defensive measures go un-rectified, and the knowledge needed to interpret alerts and understand what is happening at different points in time are gaps that attackers can easily exploit.
Constructing a totally impregnable defence might be impossible, but there are still ways to improve your capabilities, such as:
In discussions with customers, our teams have noticed a growing perception that AI will solve all their cyber security problems. In sporting parlance, it’s viewed as a “Hail Mary pass” – an all-or-nothing attempt to win.
While AI is still in relative infancy in a security context, there’s little doubt it offers the potential to better automate complex and data-intensive tasks with the granularity required to manage subtle differences in breach events. It can also help less experienced security teams unravel the overwhelming volume of threat indicators needed to better predict attackers’ movements. However, it’s not an instant panacea.
Like any new tool, it can’t transform a poorly designed and managed environment. For example, if you’re not currently patching all your infrastructure consistently, AI won’t solve all your problems.
AI’s efficacy is also tethered to data – vast oceans of it, raising flags around privacy. The integrity and confidentiality of sensitive information become key concerns as AI models feast upon data to hone their predictive prowess. Despite its acumen, AI is not immune to the false positives and negatives that currently frustrate security teams.
Moreover, as security teams use AI more, so do adversaries, leading to an AI arms race. It’s a high-stakes game of innovation and counter-innovation, where staying ahead requires constant vigilance and adaptation. Maintenance and calibration become critical in keeping AI defences effective. Without regular updates and tuning, its effectiveness can rapidly diminish.
While Extended Detection and Response tools have been around for a while, recent advances in capabilities, such as Cisco XDR’s integration with newly acquired Splunk ES, have given them new momentum. They address many of the threat detection challenges outlined above by leveraging the power of integration, analytics, and automation.
By amalgamating data from various sources—be it network devices, cloud environments, endpoints, or email systems—Cisco XDR provides security teams with a much-needed comprehensive view of their infrastructure. This centralisation of detection and response capabilities can help address the challenge of shadow IT and scattered defences by making it harder for that activity to ‘fly under the radar’. Coupled with advanced analytics and machine learning, the platform identifies and isolates anomalous behaviour, cutting through the noise of false positives and focussing on genuine threats.
Automation in XDR not only accelerates the resolution of threats, but also streamlines the management of security alerts, alleviating the burden on security teams and combating alert fatigue.
Finally, the platform’s integration capabilities ensure that an organisation’s plethora of security tools can operate in concert rather than in isolation. This unity enhances the overall efficacy of defence mechanisms and simplifies the security management landscape.
Despite these advancements, resourcing challenges can still hinder organisations, and this is where outsourcing arrangements are growing in popularity.
Today’s outsourcing offerings are more nuanced. While a fully managed SOC is still a possibility, specific capabilities such as managed SASE, SD-WAN or XDR can be chosen individually or collectively from a menu of options. This hybrid approach offers a middle ground, complementing existing in-house resources with access to higher levels of expertise. It’s a partnership where control and collaboration merge to form increasing levels of cyber security maturity.
To learn more about how Data#3 can enhance your cyber security capabilities, contact us today for a consultation or to discuss a free trial. Discover how we can help you stay ahead of cyber threats and protect your digital assets with the latest in breach detection and response technology.